From f0b12f40e960ebb923decb0e32954b790b61691b Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 3 May 2005 15:56:33 +0000 Subject: More updates from feedback. (This used to be commit bf17c2180a70589ed5bf47fb081268246eec6395) --- .../TOSHARG-AccessControls.xml | 32 +++++++++++++++------- .../TOSHARG-Group-Mapping.xml | 22 ++++++++++++++- docs/Samba-HOWTO-Collection/index.xml | 3 +- 3 files changed, 45 insertions(+), 12 deletions(-) (limited to 'docs') diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml b/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml index 251cc32fcc..f074d2c140 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-AccessControls.xml @@ -352,10 +352,12 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 An overview of the permissions field can be found in Overview of UNIX permissions field. - Overview of UNIX permissions field.access1 + Overview of UNIX permissions field. + access1 - Any bit flag may be unset. An unset bit flag is the equivalent of cannot and is represented as a - character. + Any bit flag may be unset. An unset bit flag is the equivalent of cannot and is represented + as a - character. Example File @@ -373,9 +375,9 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 - The letters rwxXst set permissions for the user, group and others as: read (r), write (w), execute (or access for directories) (x), - execute only if the file is a directory or already has execute permission for some user (X), set user or group ID on execution (s), - sticky (t). + The letters rwxXst set permissions for the user, group and others as: read (r), write (w), + execute (or access for directories) (x), execute only if the file is a directory or already has execute + permission for some user (X), set user or group ID on execution (s), sticky (t). @@ -406,11 +408,21 @@ drwsrwsrwx 2 maryo gnomes 48 2003-05-12 22:29 muchado08 For example, Windows NT/2K/XP provides the capacity to set access controls on a directory into which people can write files but not delete them. It is possible to set an ACL on a Windows file that permits the file to be written to but not deleted. Such concepts are foreign to the UNIX operating system file space. Within the UNIX file system - anyone who has the ability to create a file can write to it, and has the capability to delete it. Of necessity, Samba - is subject to the file system semantics of the host operating system. Samba is therefore limited in the file system - capabilities that can be made available through Windows ACLs, and therefore performs a best fit - translation to POSIX ACLs. Some UNIX file systems do however support a feature known as extended attributes. Only - the Windows concept of inheritance is implemented by Samba through the appropriate extended attribute. + anyone who has the ability to create a file can write to it, and has the capability to delete it. + + + + For the record, in the UNIX environment the ability to delete a file is controlled by the permissions on + the directory that the file is in. In other words, a user can delete a file in a directory to which that + user had write access, even if that user does not own the file. + + + + Of necessity, Samba is subject to the file system semantics of the host operating system. Samba is therefore + limited in the file system capabilities that can be made available through Windows ACLs, and therefore performs + a best fit translation to POSIX ACLs. Some UNIX file systems do however support a feature known + as extended attributes. Only the Windows concept of inheritance is implemented by Samba through + the appropriate extended attribute. diff --git a/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml b/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml index 68459cf2f0..f9cb236bcc 100644 --- a/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml +++ b/docs/Samba-HOWTO-Collection/TOSHARG-Group-Mapping.xml @@ -69,7 +69,8 @@ IDMAP In both cases, when winbindd is not running, only locally resolvable groups can be recognized. Please refer to - IDMAP: group SID to GID resolution and IDMAP: GID resolution to matching SID. + IDMAP: group SID to GID resolution and + IDMAP: GID resolution to matching SID. The net groupmap is used to establish UNIX group to NT SID mappings as shown in IDMAP: storing group mappings. @@ -199,6 +200,25 @@ but for now the burden is on you. + + Warning &smbmmdsh; User Private Group Problems + + + Windows does not permit user and group accounts to have the same name. + This has serious implications for all sites that use private group accounts. + A private group account is an administrative practice whereby users are each + given their own group account. Red Hat Linux, as well as several free distributions + of Linux by default create private groups. + + + + When mapping a UNIX/Linux group to a Windows group account all conflict can + be avoided by assuring that the Windows domain group name does not overlap + with any user account name. + + + + Important Administrative Information diff --git a/docs/Samba-HOWTO-Collection/index.xml b/docs/Samba-HOWTO-Collection/index.xml index a95c6b21b7..7e788ab0d0 100644 --- a/docs/Samba-HOWTO-Collection/index.xml +++ b/docs/Samba-HOWTO-Collection/index.xml @@ -117,6 +117,7 @@ The chapters in this part each cover specific Samba features. + @@ -149,7 +150,7 @@ The chapters in this part each cover specific Samba features. - + -- cgit